The Register is carrying an opinion piece by Scott Granneman of SecurityFocus, ostensibly deconstructing the myth that Windows operating systems are targeted by virus attackers so frequently by virtue of their sheer popularity. This is the mantra of Microsoft's marketing arm. It is also a ridiculous conceit.

I would love to be able to substantiate this claim by proudly bloglinking Granneman's article, but unfortunately -- despite being aligned with beliefs and confirming my prejudices -- the article is simply far too craptacular.

My thesis: when we write with bias as strong and apparent as that demonstrated in Granneman's article, we arm our detractors with ready-made criticisms that label us quite accurately as addle-witted zealots. Behold:
Early on Granneman references a verbatim quotation from Dr. Nic Peeling and Dr. Julian Satchell's unhyperlinked Analysis of the Impact of Open Source Software, in which the esteemed doctors not only compare the ratio of viruses between different operating systems (which is Granneman's stated reason for citing the report), but then go on to mention the relative viral impact in terms of each operating system (with Windows viruses contributing the most "widespread damage")...

It should not be surprising when a virus that reproduces exponentially achieves more widespread damage when the pool of infectable computers is larger -- in fact, citing this information would seem at first to run contrary to Granneman's central thesis that there is not no real link between popularity and virus events. Why reference the second part of the quotation at all? I believe the answer is because Granneman found it irresistible not to reproduce the phrase "widespread damage" associated with "Windows."

In fact, Granneman seems reluctant to use the term "popularity" at all, preferring to refer to market dominance as "monopoly numbers." His tones positively reeks of objectivity.

Next, Granneman suggests that we examine "the two factors" that cause virus/worm propagation: social engineering (manipulating users) and poor software design. Unfortunately, he then proceeds to commingle the two factors, clarifying neither. For example, the discussion of social engineering kicks off by a shallow gloss of Windows file extension suffixes. Granneman suggests that it is "too easy" to execute a programme under Windows, especially through an e-mail client (which would lead one to believe that this should be discussed under the heading of poor software design, but let us ignore the meandering for the time being).

The solution, Granneman argues, is to introduce more cumbersome steps to the user experience; he highlights some of the steps required in his favourite Linux distributions. I may be confused here, but what I understand Granneman to be saying is that social engineering is best defended against by making the things the user is tempted into doing much more tedious.

Let us consider the following objective and sensible statement: "Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!" First of all, points off for losing an exclamation point in an apparently serious analysis. Bad form. Worse, this sensationalist image of e-mail reading horror is repeated just a few lines further down: "Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."

In other words, if computers are too easy to use, idiots will be allowed to do dumb things -- Linux e-mail clients are superior in that they require serious brains to operate. How this saves Mac users from social engineering is open to speculation, but how such statements are interpreted by the Windows world is clear as glass: Linux is arcane, and Linux zealots think user-friendliness is for wimps.

Next, we seamlessly move into a discussion of root/administrator privileges on Windows versus Unix-like/based systems. This is the most solid section of the article (of course, it's hard to mess up this part because no sane person would consider Microsoft's approach to setting up a default user remotely "secure").

Apparently still on the topic of social engineering, Granneman warns that biological monocultures are by their nature more vulnerable to infection, and likens this to Microsoft's relationship with hardware. "Linux runs on many architectures, not just Intel," claims Granneman, proving the necessary diversity to keep digital epidemics at bay. Which would be a reasonable thing to say, except that it leaves the Macintosh monoculture out of the picture, lest it should inconveniently showcase the whole in Granneman's thesis of non-Microsoft superiority.

Finally, we come to an exploration of poor software design. No one can fault Granneman for pointing out that Outlook Express continues to be one of the most insecure mail clients in the world, version after version, year after year. Granneman claims that things are different in the world of Mac OS X and Linux, and then goes on to discuss only Linux clients (his notes boil down the fact that Linux mail clients have more sensible default states, which need to be specifically overridden in order to do something stupid). Granneman seems to be blaming the very concept of linking applications together for virus/worm vulnerability. The credo seems to be: the more seamless it is, the more dangerous it is. No explanation is given for how Mac users manage to live virtually scot-free in a world where e-mail clients are integrated with other applications, and how the execution of this integration may differ from similar schemes under Windows.

If you put the arguments together, it appears that the only thing that separates the potential viral vulnerability of Mac OS X and Windows is either a) popularity, or b) a better administrator privileges scheme. If the answer is the former, Granneman has shot himself in the foot; if the answer is the latter, why did Granneman waste our time with nine paragraphs about "social engineering"?

Granneman concludes his vague meander through this subject with a pithy byte: "To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it." Not bad. If he had given the rest of his piece that kind of thought, he might not have come off making Linux users look like such proselytizing morons.

No comments: